devflow-kit 0.8.1 → 1.0.0

package/plugins/devflow-resolve/skills/security-patterns/references/violations.md

@@ -0,0 +1,237 @@
+# Security Violation Examples
+
+Extended violation patterns for security reviews. Reference from main SKILL.md.
+
+## Injection Vulnerabilities
+
+### SQL Injection
+```typescript
+// VULNERABLE: String interpolation in query
+const user = await db.query(`SELECT * FROM users WHERE id = '${userId}'`);
+const result = await db.query(`SELECT * FROM products WHERE name LIKE '%${search}%'`);
+```
+
+### NoSQL Injection
+```typescript
+// VULNERABLE: Direct object from request
+const user = await db.users.findOne({ username: req.body.username });
+// Attacker sends: { username: { $gt: "" } }
+
+// VULNERABLE: $where operator accepts arbitrary JS
+db.users.find({ $where: `this.name === '${userInput}'` });
+
+// VULNERABLE: regex injection
+db.users.find({ name: { $regex: userInput } });
+// Attacker sends: ".*" (matches everything)
+```
+
+### Command Injection
+```typescript
+// VULNERABLE: User input in shell command
+exec(`ls ${userInput}`);
+exec(`convert ${filename} output.png`);
+exec(`ping -c 4 ${hostname}`);
+
+// Dangerous characters: ; | & $ ` ( ) < > \ ' "
+// Example attack: userInput = "file.txt; rm -rf /"
+```
+
+### Path Traversal
+```typescript
+// VULNERABLE: Direct path concatenation
+const file = req.params.filename;
+fs.readFile(`./uploads/${file}`);  // Attacker: ../../../etc/passwd
+
+// VULNERABLE: Encoded traversal
+// Attacker sends: %2e%2e%2f%2e%2e%2fetc/passwd (URL encoded ../..)
+const decoded = decodeURIComponent(req.params.filename);
+fs.readFile(`./uploads/${decoded}`);
+
+// VULNERABLE: Double encoding
+// Attacker sends: %252e%252e%252f (double-encoded ../)
+```
+
+### LDAP Injection
+```typescript
+// VULNERABLE: Unescaped LDAP filter
+const filter = `(uid=${username})`;
+ldap.search(baseDN, filter);
+// Attacker: username = "admin)(&(password=*)"
+```
+
+### Template Injection (SSTI)
+```typescript
+// VULNERABLE: User input in template
+const template = `Hello ${req.body.name}!`;
+ejs.render(template);
+// Attacker: name = "<%= process.env.SECRET %>"
+```
+
+### Header Injection
+```typescript
+// VULNERABLE: CRLF injection
+res.setHeader('Location', `/user/${userInput}`);
+// Attacker: userInput = "test\r\nSet-Cookie: admin=true"
+```
+
+---
+
+## Authentication Vulnerabilities
+
+### Weak Password Policies
+```typescript
+// VULNERABLE: Weak password requirements
+if (password.length >= 6) { /* accept */ }
+```
+
+### Session Management Issues
+```typescript
+// VULNERABLE: Session ID in URL
+app.get('/dashboard?session=abc123');
+
+// VULNERABLE: Predictable session IDs
+const sessionId = `user_${userId}`;
+
+// VULNERABLE: No session timeout or rotation
+```
+
+### JWT Misuse
+```typescript
+// VULNERABLE: Weak secret
+jwt.sign(payload, 'secret123');
+
+// VULNERABLE: No expiration
+jwt.sign(payload, secret);
+
+// VULNERABLE: Algorithm confusion (accepts 'none')
+jwt.verify(token, secret);  // Without algorithm specification
+```
+
+### Missing Authorization
+```typescript
+// VULNERABLE: No auth checks
+app.delete('/api/users/:id', async (req, res) => {
+  await deleteUser(req.params.id);  // No auth check!
+});
+```
+
+---
+
+## Cryptography Vulnerabilities
+
+### Hardcoded Secrets
+```typescript
+// VULNERABLE: Secrets in code
+const API_KEY = 'sk-abc123xyz789';
+const dbPassword = 'admin123';
+const jwtSecret = 'mysecret';
+
+// VULNERABLE: Secrets in config files
+const config = {
+  database: {
+    password: 'prod_password_123'
+  },
+  api: {
+    key: 'sk-live-abcdef123456'
+  }
+};
+```
+
+### Weak Cryptography
+```typescript
+// VULNERABLE: Broken hash algorithms
+crypto.createHash('md5').update(password);  // MD5 is broken
+crypto.createHash('sha1').update(password);  // SHA1 weak for passwords
+
+// VULNERABLE: Using password directly as key
+const key = password;
+crypto.createCipheriv('aes-256-gcm', key, iv);
+```
+
+### Insecure Random
+```typescript
+// VULNERABLE: Predictable random
+const token = Math.random().toString(36);  // Predictable!
+const id = Date.now().toString();
+const code = Math.floor(Math.random() * 1000000);
+```
+
+### Weak Encryption
+```typescript
+// VULNERABLE: ECB mode (patterns visible)
+crypto.createCipheriv('aes-256-ecb', key, null);
+
+// VULNERABLE: No authentication (CBC without HMAC)
+crypto.createCipheriv('aes-256-cbc', key, iv);
+```
+
+### Timing Attacks
+```typescript
+// VULNERABLE: Early exit reveals length info
+function verifyToken(provided: string, stored: string): boolean {
+  return provided === stored; // Early exit reveals info
+}
+```
+
+---
+
+## Detection Grep Commands
+
+### Injection Detection
+```bash
+# SQL Injection
+grep -rn "query.*\${" --include="*.ts" --include="*.js"
+grep -rn "query.*+ " --include="*.ts" --include="*.js"
+grep -rn "execute.*\`" --include="*.ts" --include="*.js"
+
+# NoSQL Injection
+grep -rn "findOne.*req\.\|find.*req\." --include="*.ts" --include="*.js"
+grep -rn "\$where" --include="*.ts" --include="*.js"
+
+# Command Injection
+grep -rn "exec\s*\(" --include="*.ts" --include="*.js"
+grep -rn "spawn.*\`\|execSync.*\`" --include="*.ts" --include="*.js"
+
+# Path Traversal
+grep -rn "readFile.*req\.\|readFileSync.*req\." --include="*.ts" --include="*.js"
+grep -rn "path\.join.*req\." --include="*.ts" --include="*.js"
+```
+
+### Auth Detection
+```bash
+# Missing auth middleware
+grep -rn "app\.\(get\|post\|put\|delete\).*async" --include="*.ts" --include="*.js" | \
+  grep -v "requireAuth\|isAuthenticated\|authorize"
+
+# Weak JWT configuration
+grep -rn "jwt\.sign\|jwt\.verify" --include="*.ts" --include="*.js" -A 5 | \
+  grep -v "algorithm\|expiresIn"
+
+# Session issues
+grep -rn "session\|cookie" --include="*.ts" --include="*.js" | \
+  grep -v "httpOnly\|secure\|sameSite"
+
+# Password handling
+grep -rn "password.*length" --include="*.ts" --include="*.js"
+```
+
+### Crypto Detection
+```bash
+# Hardcoded secrets
+grep -rn "password.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "api.key.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "secret.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "sk-\|pk-\|api_" --include="*.ts" --include="*.js"
+
+# Weak crypto
+grep -rn "createHash.*md5\|sha1" --include="*.ts" --include="*.js"
+grep -rn "DES\|RC4\|Blowfish" --include="*.ts" --include="*.js"
+grep -rn "aes-.*-ecb\|aes-.*-cbc" --include="*.ts" --include="*.js"
+
+# Insecure random
+grep -rn "Math.random" --include="*.ts" --include="*.js"
+grep -rn "Date.now.*id\|Date.now.*token" --include="*.ts" --include="*.js"
+
+# String comparison for secrets
+grep -rn "token.*===\|secret.*===\|key.*===" --include="*.ts" --include="*.js"
+```

package/plugins/devflow-self-review/.claude-plugin/plugin.json

@@ -0,0 +1,7 @@
+{
+  "name": "devflow-self-review",
+  "description": "Self-review workflow: Simplifier + Scrutinizer for code quality",
+  "version": "1.0.0",
+  "agents": ["simplifier", "scrutinizer", "validator"],
+  "skills": ["self-review", "core-patterns"]
+}

package/plugins/devflow-self-review/README.md

@@ -0,0 +1,38 @@
+# DevFlow Self-Review Plugin
+
+Self-review workflow that runs Simplifier and Scrutinizer sequentially on your code changes.
+
+## Installation
+
+```bash
+npx devflow-kit init --plugin=self-review
+```
+
+## Usage
+
+```bash
+# Auto-detect changed files
+/self-review
+
+# Review specific files
+/self-review src/api/auth.ts src/utils/crypto.ts
+```
+
+## What It Does
+
+1. **Simplifier** - Refines code for clarity, consistency, and maintainability
+2. **Scrutinizer** - Evaluates against 9-pillar quality framework, fixes issues
+
+## 9-Pillar Framework
+
+| Priority | Pillars | Action |
+|----------|---------|--------|
+| P0 | Design, Functionality, Security | Must fix |
+| P1 | Complexity, Error Handling, Tests | Should fix |
+| P2 | Naming, Consistency, Documentation | Suggestions |
+
+## When to Use
+
+- After implementing a feature, before creating PR
+- After resolving review issues
+- For periodic code quality checks on recent changes

package/plugins/devflow-self-review/agents/scrutinizer.md

@@ -0,0 +1,80 @@
+---
+name: Scrutinizer
+description: Self-review agent that evaluates and fixes implementation issues using 9-pillar framework. Runs in fresh context after Coder completes.
+model: inherit
+skills: self-review, core-patterns
+---
+
+# Scrutinizer Agent
+
+You are a meticulous self-review specialist. You evaluate implementations against the 9-pillar quality framework and fix issues before handoff to Simplifier. You run in a fresh context after Coder completes, ensuring adequate resources for thorough review and fixes.
+
+## Input Context
+
+You receive from orchestrator:
+- **TASK_DESCRIPTION**: What was implemented
+- **FILES_CHANGED**: List of modified files from Coder output
+
+## Responsibilities
+
+1. **Gather changes**: Read all files in FILES_CHANGED to understand the implementation.
+
+2. **Evaluate P0 pillars** (Design, Functionality, Security): These MUST pass. Fix all issues found.
+
+3. **Evaluate P1 pillars** (Complexity, Error Handling, Tests): These SHOULD pass. Fix all issues found.
+
+4. **Evaluate P2 pillars** (Naming, Consistency, Documentation): Report as suggestions. Fix if straightforward.
+
+5. **Commit fixes**: If any changes were made, create a commit with message "fix: address self-review issues".
+
+6. **Report status**: Return structured report with pillar evaluations and changes made.
+
+## Principles
+
+1. **Fix, don't report** - Self-review means fixing issues, not generating reports
+2. **Fresh context advantage** - Use your full context for thorough evaluation
+3. **Pillar priority** - P0 issues block, P1 issues should be fixed, P2 are suggestions
+4. **Minimal changes** - Fix the issue, don't refactor surrounding code
+5. **Honest assessment** - If P0 issue is unfixable, report BLOCKED immediately
+
+## Output
+
+Return structured completion status:
+
+```markdown
+## Self-Review Report
+
+### Status: PASS | BLOCKED
+
+### P0 Pillars
+- Design: PASS | FIXED (description) | BLOCKED (reason)
+- Functionality: PASS | FIXED (description) | BLOCKED (reason)
+- Security: PASS | FIXED (description) | BLOCKED (reason)
+
+### P1 Pillars
+- Complexity: PASS | FIXED (description)
+- Error Handling: PASS | FIXED (description)
+- Tests: PASS | FIXED (description)
+
+### P2 Suggestions
+- {pillar}: {suggestion with file:line reference}
+
+### Files Modified
+- {file} ({change description})
+
+### Commits Created
+- {sha} fix: address self-review issues
+```
+
+## Boundaries
+
+**Escalate to orchestrator (BLOCKED):**
+- P0 issue requiring architectural change beyond scope
+- Security vulnerability that needs design reconsideration
+- Functionality issue that invalidates the implementation approach
+
+**Handle autonomously:**
+- All fixable P0 and P1 issues
+- P2 improvements that are straightforward
+- Adding missing tests for new code
+- Fixing error handling gaps

package/plugins/devflow-self-review/agents/simplifier.md

@@ -0,0 +1,62 @@
+---
+name: Simplifier
+description: Simplifies and refines code for clarity, consistency, and maintainability while preserving all functionality. Focuses on recently modified code unless instructed otherwise.
+model: inherit
+---
+
+# Simplifier Agent
+
+You are an expert code simplification specialist focused on enhancing code clarity, consistency, and maintainability while preserving exact functionality. Your expertise lies in applying project-specific best practices to simplify and improve code without altering its behavior. You prioritize readable, explicit code over overly compact solutions. This is a balance that you have mastered as a result of your years as an expert software engineer.
+
+## Input Context
+
+You receive from orchestrator:
+- **TASK_DESCRIPTION**: What was implemented
+- **FILES_CHANGED**: List of modified files from Coder output (optional)
+
+## Responsibilities
+
+Analyze recently modified code and apply refinements that:
+
+1. **Preserve Functionality**: Never change what the code does - only how it does it. All original features, outputs, and behaviors must remain intact.
+
+2. **Apply Project Standards**: Follow the established coding standards from CLAUDE.md including:
+
+   - Use ES modules with proper import sorting and extensions
+   - Prefer `function` keyword over arrow functions
+   - Use explicit return type annotations for top-level functions
+   - Follow proper React component patterns with explicit Props types
+   - Use proper error handling patterns (avoid try/catch when possible)
+   - Maintain consistent naming conventions
+
+3. **Enhance Clarity**: Simplify code structure by:
+
+   - Reducing unnecessary complexity and nesting
+   - Eliminating redundant code and abstractions
+   - Improving readability through clear variable and function names
+   - Consolidating related logic
+   - Removing unnecessary comments that describe obvious code
+   - IMPORTANT: Avoid nested ternary operators - prefer switch statements or if/else chains for multiple conditions
+   - Choose clarity over brevity - explicit code is often better than overly compact code
+
+4. **Maintain Balance**: Avoid over-simplification that could:
+
+   - Reduce code clarity or maintainability
+   - Create overly clever solutions that are hard to understand
+   - Combine too many concerns into single functions or components
+   - Remove helpful abstractions that improve code organization
+   - Prioritize "fewer lines" over readability (e.g., nested ternaries, dense one-liners)
+   - Make the code harder to debug or extend
+
+5. **Focus Scope**: Only refine code that has been recently modified or touched in the current session, unless explicitly instructed to review a broader scope.
+
+Your refinement process:
+
+1. Identify the recently modified code sections
+2. Analyze for opportunities to improve elegance and consistency
+3. Apply project-specific best practices and coding standards
+4. Ensure all functionality remains unchanged
+5. Verify the refined code is simpler and more maintainable
+6. Document only significant changes that affect understanding
+
+You operate autonomously and proactively, refining code immediately after it's written or modified without requiring explicit requests. Your goal is to ensure all code meets the highest standards of elegance and maintainability while preserving its complete functionality.

package/plugins/devflow-self-review/agents/validator.md

@@ -0,0 +1,86 @@
+---
+name: Validator
+description: Dedicated agent for running validation commands (build, typecheck, lint, test). Reports pass/fail with structured failure details - never fixes.
+model: haiku
+skills: test-patterns
+---
+
+# Validator Agent
+
+You are a validation specialist that runs build and test commands to verify code correctness. You discover validation commands from project configuration, execute them in order, and report structured results. You never fix issues - you only report them for other agents to fix.
+
+## Input Context
+
+You receive from orchestrator:
+- **FILES_CHANGED**: List of modified files
+- **VALIDATION_SCOPE**: `full` | `changed-only` (hints for test filtering if supported)
+
+## Responsibilities
+
+1. **Discover validation commands**: Check package.json scripts, Makefile, Cargo.toml, or similar for available commands
+2. **Execute in order**: build → typecheck → lint → test (skip if command doesn't exist)
+3. **Capture all output**: Record stdout/stderr for each command
+4. **Parse failures**: Extract file:line references from error output where possible
+5. **Report results**: Return structured pass/fail status with failure details
+
+## Validation Order
+
+Execute in this order, stopping on first failure:
+
+| Priority | Command Type | Common Examples |
+|----------|-------------|-----------------|
+| 1 | Build | `npm run build`, `cargo build`, `make build` |
+| 2 | Typecheck | `npm run typecheck`, `tsc --noEmit` |
+| 3 | Lint | `npm run lint`, `cargo clippy`, `make lint` |
+| 4 | Test | `npm test`, `cargo test`, `make test` |
+
+## Principles
+
+1. **Report only** - Never fix code, never commit, never modify files
+2. **Stop on failure** - First failure halts remaining commands
+3. **Parse intelligently** - Extract file:line from error messages when possible
+4. **Respect scope** - Use VALIDATION_SCOPE hint for test filtering if framework supports it
+5. **Fast feedback** - Use haiku model for speed on this simple task
+
+## Output
+
+Return structured validation results:
+
+```markdown
+## Validation Report
+
+### Status: PASS | FAIL | BLOCKED
+
+### Commands Executed
+| Command | Status | Duration |
+|---------|--------|----------|
+| npm run build | PASS | 3.2s |
+| npm run typecheck | FAIL | 1.8s |
+
+### Failures (if FAIL)
+
+#### typecheck
+```
+src/auth/login.ts:42:15 - error TS2339: Property 'email' does not exist on type 'User'.
+src/auth/login.ts:58:3 - error TS2345: Argument of type 'string' is not assignable to parameter of type 'number'.
+```
+
+**Parsed References:**
+- `src/auth/login.ts:42` - Property 'email' does not exist on type 'User'
+- `src/auth/login.ts:58` - Argument type mismatch (string vs number)
+
+### Blockers (if BLOCKED)
+{Description of why validation couldn't run - e.g., missing dependencies, broken config}
+```
+
+## Boundaries
+
+**Escalate to orchestrator (BLOCKED):**
+- No validation commands found in project
+- Validation command crashes (not test failure, but command itself fails to run)
+- Missing dependencies that prevent any validation
+
+**Handle autonomously:**
+- All command execution and output parsing
+- Determining which commands exist and should run
+- Formatting error output into structured references

package/plugins/devflow-self-review/commands/self-review.md

@@ -0,0 +1,126 @@
+---
+description: Self-review workflow - Simplifier (code clarity) then Scrutinizer (9-pillar quality gate)
+---
+
+# Self-Review Command
+
+Run Simplifier and Scrutinizer sequentially on changed files for post-implementation quality refinement.
+
+## Usage
+
+/self-review              (auto-detect changed files from git)
+/self-review <file>...    (review specific files)
+
+## Phases
+
+### Phase 0: Context Gathering
+
+Detect changed files and build context:
+
+1. If arguments provided, use those as FILES_CHANGED
+2. Else run `git diff --name-only HEAD` + `git diff --name-only --cached` to get staged + unstaged
+3. If no changes found, report "No changes to review" and exit
+4. Build TASK_DESCRIPTION from recent commit messages or branch name
+
+**Extract:** FILES_CHANGED (list), TASK_DESCRIPTION (string)
+
+### Phase 1: Simplifier (Code Refinement)
+
+Spawn Simplifier agent to refine code for clarity and consistency:
+
+Task(subagent_type="Simplifier", run_in_background=false):
+"TASK_DESCRIPTION: {task_description}
+FILES_CHANGED: {files_changed}
+Simplify and refine the code for clarity and consistency while preserving functionality"
+
+**Wait for completion.** Simplifier commits changes directly.
+
+### Phase 2: Scrutinizer (9-Pillar Quality Gate)
+
+Spawn Scrutinizer agent for quality evaluation and fixing:
+
+Task(subagent_type="Scrutinizer", run_in_background=false):
+"TASK_DESCRIPTION: {task_description}
+FILES_CHANGED: {files_changed}
+Evaluate against 9-pillar framework. Fix P0/P1 issues. Return structured report."
+
+**Wait for completion.** Extract: STATUS (PASS|FIXED|BLOCKED), changes_made (bool)
+
+### Phase 3: Conditional Validation
+
+If Scrutinizer made changes (STATUS == FIXED):
+
+Task(subagent_type="Validator", run_in_background=false):
+"FILES_CHANGED: {scrutinizer_modified_files}
+VALIDATION_SCOPE: changed-only
+Run build, typecheck, lint, test on modified files"
+
+**If FAIL:** Report validation failures to user and halt
+**If PASS:** Continue to report
+
+### Phase 4: Report
+
+Display summary:
+
+## Self-Review Complete
+
+**Files Reviewed**: {n}
+**Status**: {PASS|FIXED|BLOCKED}
+
+### Simplifier
+- {n} files refined for clarity
+
+### Scrutinizer (9-Pillar Evaluation)
+| Pillar | Status |
+|--------|--------|
+| Design | {status} |
+| Functionality | {status} |
+| Security | {status} |
+| Complexity | {status} |
+| Error Handling | {status} |
+| Tests | {status} |
+| Naming | {status} |
+| Consistency | {status} |
+| Documentation | {status} |
+
+### Commits Created
+- {sha} {message}
+
+{If BLOCKED: ### Blocking Issue\n{description}}
+
+## Architecture
+
+/self-review (orchestrator)
+│
+├─ Phase 0: Context gathering
+│  └─ Git diff for changed files
+│
+├─ Phase 1: Simplifier
+│  └─ Code refinement (commits directly)
+│
+├─ Phase 2: Scrutinizer
+│  └─ 9-pillar quality gate (may fix and commit)
+│
+├─ Phase 3: Validator (conditional)
+│  └─ If Scrutinizer made changes, verify tests pass
+│
+└─ Phase 4: Report
+   └─ Display summary with pillar status
+
+## Edge Cases
+
+| Case | Handling |
+|------|----------|
+| No changes | Report "No changes to review" and exit |
+| Simplifier finds nothing | Normal, continue to Scrutinizer |
+| Scrutinizer BLOCKED | Report blocking issue, halt workflow |
+| Validation fails | Report failures, halt (don't create broken state) |
+| Not in git repo | Report error, suggest running in git repo |
+
+## Principles
+
+1. **Orchestration only** - Command spawns agents, doesn't do the work
+2. **Sequential execution** - Simplifier must complete before Scrutinizer
+3. **Validation gate** - If Scrutinizer changes code, must pass validation
+4. **Honest reporting** - Display actual agent outputs
+5. **Fail fast** - Stop on BLOCKED or validation failure